‹/› Devsworld News

Financial API Security: Whose Job is it Anyway?

Financial data APIs are enabling significant innovation in financial services and empowering consumers to better understand and manage their finances. With the emergence of the open financial Web, the opportunity for better services and better user experiences is significant. However, as with any fintech endeavor, security is key. This requires everyone involved to take a share of the responsibility for securing sensitive financial data.

The “newness” of APIs used with fintech personal finance apps

Surprisingly, sharing data across the open financial Web is still a relatively new concept in the digital age. And yet, there is a continuing influx of technologies that require transaction data to help consumers manage their money. The result is consumers are increasingly tapping into their banking and other financial credentials through payments or personal finance apps such as Venmo and Mint.

The open financial Web operates from a pub-hub-sub model with financial institutions as publishers, data aggregators acting as the data hub and app developers as the subscribers of the data. Before the pub-hub-sub open financial Web model came into play, only banks used customer financial transaction data, mostly for internal marketing purposes. Now, a variety of other financial services organizations and apps require this customer data. Such significant demand requires an efficient and secure way for data to be shared between banks, data aggregators and apps.

Who takes responsibility for security?

Since global data sharing is a rapidly emerging concept for most involved, some details need to be ironed out, including security responsibility. Ultimately, it must be a shared effort between banks and API providers. Here’s an overview of how each can do their part to ensure data security.

Banks

While there have been some roadblocks in sharing user data – including some institutions blocking customer data from being used for financial apps such as Mint – the reality is that global financial data sharing is beneficial to all. As a result, banks will benefit by implementing a standard for sharing their users’ data. This will make sharing more efficient, more secure and can actually give the banks more control.

Currently there are two standards – either Open Financial Exchange (OFX) 2.2 or the Durable Data API (DDA). Both are tokenized authentication services that allow users’ data to move throughout the open financial Web model without their identity being known, compromised or used by unauthorized parties.

OFX 2.2 enables the use of authentication tokens and is an upgrade from earlier versions that were username and password based. It facilitates more efficient data transfers between aggregators and financial institutions, while offering a secure way for consumers to access their own financial data. DDA is a similar service developed by Financial Services Information Sharing and Analysis Center (FS-ISAC).

Banks are keenly aware of the security implications of global data sharing and are working hard to protect customer information. Utilizing a standards-based approach will enable them to gain better control of customer banking credentials, which users currently enter into budgeting apps.

API publishers

The responsibility of an API publisher, or data aggregator, is to “watch the door.” They need to make sure the API is being used correctly and by the right people. They write and enforce the rules for fair use for the API. This ensures banks, financial institution and app developers can effectively and securely share customer information. In the long run, this helps businesses across the open financial Web create more robust financial service offerings, creating stronger, long-term relationships with their customers. At the same time, “watching the door” keeps fraudsters and others looking to compromise the information out of the picture.

The prospect of implementing data sharing standards and APIs will usher in a new era of innovative financial services solutions, but it’s important that those working within the open financial Web each play their role for security to bring these new solutions to fruition.

About the Author

Steve Smith is the chairman, CEO and co-founder of Finicity, a leading financial data aggregator enabling innovation in the fintech industry through its modern RESTful API and Finicity Platform.